Pandemic contact tracing is an important tool. Operating such a tool while respecting personal privacy rights can be tricky. Just ask the state governments of North Dakota and South Dakota.
The governors of the Dakotas have urged usage of a locally-developed application to trace coronavirus exposure. Operators of this application, however, quickly violated its privacy policy by sharing location and user information with third party entities.
The Care19 app, developed by ProudCrowd, of North Dakota, was endorsed by state governments in response to the coronavirus. Governors from both North and South Dakota openly touted the app as a means to reduce the number of infections. The app’s privacy policy had stated that the “location data is private to you and is stored securely on ProudCrowd, LLC servers” and not shared with third parties “unless you consent or ProudCrowd is compelled under federal regulations.” This representation was not true.
The app did send data to personal marketing companies. According to privacy watchdog Jumbo Privacy, the Care19 app had built in lines of code that sends location and identification data to third-party companies including Foursquare, BugFender and Google. Some of these entities market to consumers using location data.
ProudCrowd developed Care19 as “a free mobile app . . . to help slow the spread of COVID-19 in North Dakota.” The app works by identifying individuals who may have had contact with people who have tested positive.
Individuals using the app are given a random ID number and the app will anonymously cache the individual’s locations throughout the day. The app will store location data for visits for 10 minutes or more, and the ID number of each individual contains no other personal information. Individuals who test positive for COVID-19 can consent to their information being sent to the state departments of health in order to conduct contact tracing.
After some scrutiny, the privacy policy was revised to say that third parties “may have temporary access to aspects of your data for their specific data processing tasks. However, they will not collect this data in a form that allows themselves or others to access or otherwise use this data.” The governments of the Dakotas have maintained their faith in the app. North Dakota Governor Doug Burgum went as far as saying that the “[t]he anonymous information Care19 is gathering can save lives, and smartly and safely using technology is one more way to help us speed up our economy recovery.”
In 2015, then FTC Director Jessica Rich expressed the significance of misleading privacy policies. Her statement included that “materially misleading statements or omissions about privacy or data security that are likely to mislead reasonable consumers, such statements or omissions are deceptive. The FTC has used this authority, for example, to challenge false and misleading claims about how companies use and share consumer data; whether they track consumers’ movements online; whether they are honoring consumers’ opt-outs; and whether they are delivering on promises to secure consumers’ financial and health data.” The FTC has brought hundreds of enforcement actions protecting the privacy of consumer information. Its enforcement actions have addressed practices offline, online, and in the mobile environment.
ProudCrowd is unlikely to be vulnerable to enforcement actions. The scrutiny that ProudCrowd has undergone, despite being touted by state governments, for deviating slightly from their privacy policy should serve as a lesson for every entity to make the necessary efforts to have sound policies in place. Individual privacy policies should accurately reflect business practices. Gone are the days (if they ever existed) where entities could post a generic policy on the website, and assume they have complied with various laws.